Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenID vs OAuth - Identity on the Web

29,778 views

Published on

Short comparation between OAuth & OpenID

Published in: Technology, Design

OpenID vs OAuth - Identity on the Web

  1. 1. Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1
  2. 2. Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2
  3. 3. User Authentication 3
  4. 4. User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4
  5. 5. Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5
  6. 6. OpenID 6
  7. 7. OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7
  8. 8. Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8
  9. 9. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9
  10. 10. Sign in with OpenID Identifier 10
  11. 11. Discovery & Delegation obtain OP Endpoint 11
  12. 12. Establish Association • shared secret between Relying Party & OpenID Provider • Diffie Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 12
  13. 13. Redirect User Agent to OP Endpoint 13
  14. 14. Redirect User Agent to OP Endpoint 14
  15. 15. Return URL Verification • OpenId Provider checks: • do Realm and return_to URL match? 15
  16. 16. User Authentification 16
  17. 17. OpenID Provider presents Realm 17
  18. 18. Redirect User Agent to OP Endpoint URL 18
  19. 19. Redirect User Agent to OP Endpoint URL 19
  20. 20. Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20
  21. 21. Logged in 21
  22. 22. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22
  23. 23. OAuth 23
  24. 24. OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24
  25. 25. Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25
  26. 26. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 26
  27. 27. Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identified by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27
  28. 28. Sign in with OAuth 28
  29. 29. Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29
  30. 30. HTTP Redirect to Service Provider 30
  31. 31. HTTP Redirect to Service Provider 31
  32. 32. Authenticate 32
  33. 33. Grant Access 33
  34. 34. HTTP Redirect to Consumer Callback 34
  35. 35. HTTP Redirect to Consumer Callback 35
  36. 36. Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user specific 36
  37. 37. Logged in 37
  38. 38. Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38
  39. 39. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 39
  40. 40. OpenId vs OAuth 40
  41. 41. Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41
  42. 42. Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42
  43. 43. My Project 43
  44. 44. My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • profile pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44
  45. 45. Questions? 45

×